I'm fearful that IS management will be of no help to you, since they haven't been able to prevent the situation from occuring to this point.
Really, this is 2010. Do we even need to *have* this discussion about admin levels and appropriate level of rights? My guess is that you better start thinking about how much political clout you're going to expend on this. I'd say it is one of the most important battles you can fight for, but the ultimate decision is up to you. :) *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:18 AM, James Rankin <[email protected]> wrote: > I am raising this up with IS management, as it is unsupportable - there's > no point in me putting a structure together that can just be pulled apart at > will. > > There's no way around it, so I'm just going to have to trust in my own > stubbornness to get the buy-in I need :-) Audit was going to be one of the > hot words to throw into the debate, though. I'd be interested myself in > seeing the results of any previous audits they've had here. > > > On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: > >> *>>**However, the business are adamant that every member of the support >> teams (from helpdesk upwards) will be given a Domain Admin account. Am I >> right in assuming this means that they could simply add themselves into the >> groups I am setting up, because even if I restrict these groups via an ACL, >> they could just take ownership of the group?* >> >> You might need to enlist the assistance of... dare I say it? ... >> Auditors. >> >> If everyone is a domain admin, then they can all do whatsoever they want >> in the domain. >> >> Seriously, is your organization not subject to some you sort of regulatory >> compliance? Who is your CTO/CIO? >> >> >> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >> *Exploiting Technology for Business Advantage...* >> * * >> >> >> >> On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]>wrote: >> >>> However, the business are adamant that every member of the support teams >>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>> assuming this means that they could simply add themselves into the groups I >>> am setting up, because even if I restrict these groups via an ACL, they >>> could just take ownership of the group? >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
